Problem:
When switch is configured as downloaded user role with ClearPass (CPPM), in certain condition following log event may be generated.
W 07/11/19 00:48:53 05204 dca: Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.
In the above log event client MAC is 005056831001 and DUR name is TEST_DUR-3045-1.
Diagnostics:When switch is configured as downloaded user role with ClearPass (CPPM), in certain condition following log event may be generated.
W 07/11/19 00:48:53 05204 dca: Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.
In the above log event client MAC is 005056831001 and DUR name is TEST_DUR-3045-1. Following is couple of debug message for mac-based which indicates similar message.
0000:00:48:53.15 MAC mWebAuth:Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.
0000:00:48:53.30 MAC mWebAuth:Port: 2 MAC: 005056-831001 [58] assigned role 'TEST_DUR-3045-1_7Z4q' failed, attempting to apply initial role.
Following debug can be used to narrow down issue.
SW-1# debug destination session
SW-1# debug destination buffer
SW-1# debug security radius-server
SW-1# debug security ssl
SW-1# debug security port-access mac-based include port <port_number>
Following is the output of SSL debug message -
0000:00:48:51.28 SSL mcppmTask:handleClientHandshakeMessages() returns status =
0000:00:48:51.37 SSL mcppmTask:-1
0000:00:48:51.41 SSL mcppmTask:SSL_SOCK_receive() returns status =
0000:00:48:51.48 SSL mcppmTask:-1
0000:00:48:51.52 SSL mcppmTask:SSL:doProtocol() returns status =
0000:00:48:51.59 SSL mcppmTask:-1
0000:00:48:51.63 SSL mcppmTask:SSL_negotiateConnection() returns status =
0000:00:48:51.71 SSL mcppmTask:-1
0000:00:48:51.74 SSL mcppmTask:SSL_closeConnection() from AppType:
0000:00:48:51.82 SSL mcppmTask:4
Above messages of SSL debug suggests TLS handshake between switch and radius-server (CPPM) didn't happened. This can be because of missing root certificate in switch.
SolutionExtract root certificate from CPPM HTTPS Certificate and install it on switch.
---------------Install Root Certificate---------------
SW-1(config)# crypto pki ta-profile CPPM. //crypto pki ta-profile <profile-name>
SW-1#copy tftp ta-certificate CPPM 192.168.1.15 //copy tftp ta-certificate <profile-name> <TFTP-Server-IP-ADDR>